Bug 26102: Prevent XSS when To.json is used: subscription-add.tt

Test the process of adding a subscription, entering both a valid vendor
ID and a non-existent vendor ID. The non-existent vendor ID should
trigger a validation alert.

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>

koha-tmpl/intranet-tmpl/prog/en/modules/serials/subscription-add.tt

@@ -585,7 +585,7 @@ fieldset.rows table { clear: none; margin: 0; }
         var MSG_MANA_NO_SUBSCRIPTION_FOUND = _("No subscription found on Mana Knowledge Base");
         var MSG_MANA_SHARE_PATTERN = _("Please feel free to share your pattern with all others librarians once you are done");
 
-        var BOOKSELLER_IDS = [% To.json( bookseller_ids ) || '[]' | $raw %];
+        var BOOKSELLER_IDS = [% To.json( bookseller_ids ) || '[]' | html %];
     </script>
     [% Asset.js("js/subscription-add.js") | $raw %]
     [% Asset.js("js/showpredictionpattern.js") | $raw %]